Issue Trying To Get AD Integration Working

Hello Everyone:

I have been trying for sometime to get AD auth working correctly on my
server. I’ve managed to get most of the way there I think but am
consistently getting hung up on an error.

Below is a sample of my configuration…

Plugin(“RT::Authen::ExternalAuth”);
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldaps://example.company.org’,
‘base’ => ‘dc=xxxxx,dc=org’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ]
},
} );

I am trying to do this via LDAPS using our root CAs (which I have already
configured via openLDAP). Each time I attempt to authenticate I get the
following error in the logs…

[14177] [Wed Apr 2 19:10:16 2014] [debug]: UserExists params:
username: MY_NTUSERNAME , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[14177] [Wed Apr 2 19:10:16 2014] [error]: Can’t call method "as_string"
without a package or object reference at
/opt/rt4/local/plugins/RT-Authen-ExternalA
uth/lib/RT/Authen/ExternalAuth/LDAP.pm line 469.
Stack:

[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469]

[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:505]

[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:255]
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:15]

[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Session:1]
[/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:309]
[/opt/rt4/share/html/autohandler:53]
(/opt/rt4/sbin/…/lib/RT/Interface/Web/Handler.pm:211)
I found that this line of code pertained to some debugging info and out of
pure curiosity I commented this piece of code out. When I did so the logs
error’d out only this time they stated the user could not be found. After
seeing this I uncommented the debug line :slight_smile:

  • I have verified that I am seeing traffic to/from the LDAP server over 636.
  • I have attempted to do this via TLS and SSL with no change in result.
  • I have tried adjusting my filters, but in reality they are a catch all as
    is.
  • I have tried pointing to a different LDAP server, same result.

It is unclear to me at this point what the problem is, although things seem
suggestive of an LDAP query gone awry. After doing some research on my own,
I am unable to determine what exactly is wrong with it. All I want at this
point is to have authentication via AD.

Many thanks in advance for you help!
-Jason

I have been trying for sometime to get AD auth working correctly on my
server. I’ve managed to get most of the way there I think but am
consistently getting hung up on an error.

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldaps://example.company.org
http://example.company.org’,
‘base’ => ‘dc=xxxxx,dc=org’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ]
},
} );

Some questions:

  • Do you have SSL configured on port tcp/636 for your AD? (It’s not an
    out-of-the-box option.) We’ve dropped back to using mandatory TLS on
    tcp/389.
  • Have you tried using something like ldapsearch to confirm that your
    connection parameters are correct?
  • IME, AD requires authentication to bind to anything other than the
    base scope. Have you omitted this just for the email, or in its entirety?

The following is a configuration that “works for me”

 'type' => 'ldap',
 'server' => 'dc.example.org',
 'user' => 'user@example.org',
 'pass' => 'secretpassword',
 'base' => 'dc=example,dc=org',
 'filter' => '(ObjectClass=User)',
 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
 'attr_match_list' => [ 'Name', 'EmailAddress', 'displayName' ],
 'attr_map' => {
         'Name' => 'sAMAccountName',
         'EmailAddress' => 'mail',
         'Organization' => 'physicalDeliveryOfficeName',
         'RealName' => 'cn',
         'ExternalAuthId' => 'sAMAccountName',
         'Gecos' => 'sAMAccountName',
         'WorkPhone' => 'telephoneNumber',
         'Address1' => 'streetAddress',
         'City' => 'l',
         'State' => 'st',
         'Zip' => 'postalCode',
         'Country' => 'co',
 },
 # Permit domain prefix on username ("EXAMPLE\user")
 # 'ad_domain_prefix' => 'EXAMPLE',      # case insensitive
 # 'ad_domain_required' => 'no',         # { 'yes' | 'no' }
 # 'ad_domain_separator' => '\\',        # split here

Here are some URLs of configurations that according to my notes were
useful at the time

Regards,
Chris

smime.p7s (3.66 KB)

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldaps://[1]example.company.org’,
‘base’ => ‘dc=xxxxx,dc=org’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ]
},
} );

I am trying to do this via LDAPS using our root CAs (which I have already configured via
openLDAP). Each time I attempt to authenticate I get the following error in the logs…

The debugging line blows up because the filter constructed is invalid
because you’ve not provided attr_map, which means RT has no idea how
to map things in LDAP to things in RT.

You’ll need a complete config to use RT::Authen::ExternalAuth

Also, since you’re just setting up, upgrade to the current release of
the module.

The docs cover the needed config settings
https://metacpan.org/source/FALCONE/RT-Authen-ExternalAuth-0.18/etc/RT_SiteConfig.pm#L212

-kevin

Kevin/Chris:

Thanks for taking the time to reply. After taking both your suggestions
into account I got a service account setup and configured the attr_map
attribute. Initially, I was trying to get this working using just my
certificate and then binding as the user who was authenticating (not
needing a service account). As I understand now however, this is necessary
for this plugin.

Thanks,
JasonOn Thu, Apr 3, 2014 at 1:55 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Wed, Apr 02, 2014 at 02:44:31PM -0500, Jason Batchelor wrote:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldaps://[1]example.company.org’,
‘base’ => ‘dc=xxxxx,dc=org’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ]
},
} );

I am trying to do this via LDAPS using our root CAs (which I have
already configured via
openLDAP). Each time I attempt to authenticate I get the following
error in the logs…

The debugging line blows up because the filter constructed is invalid
because you’ve not provided attr_map, which means RT has no idea how
to map things in LDAP to things in RT.

You’ll need a complete config to use RT::Authen::ExternalAuth

Also, since you’re just setting up, upgrade to the current release of
the module.

The docs cover the needed config settings

etc/RT_SiteConfig.pm - metacpan.org

-kevin


RT Training - Dallas May 20-21
Training — Best Practical Solutions